Hey there @dengziyang77 welcome to the community!
I believe this is the result of requesting an HS256 token without an audience. Are you passing an audience param to loginWithRedirect() or any other form of invoking an authorization call?
Let us know!